5 months after Equifax breach, no new data security rules

But consumers have better, sometimes free, ID theft protection tools

Five months after learning about the massive data theft at Equifax,
consumers’ best hope to protect their identity is ... still their own efforts.

Hackers took more than 145 million people’s Social Security
numbers and other keys to identity, sparking a raft of investigations, lawsuits
and reform proposals in Congress.

But despite outrage at Equifax's security breach – and the 47-day period
before victims were notified in September – disagreement over new security and notification standards is delaying tougher rules and penalties.

“My concern is, when you start to talk about a national
standard, dealing with members of Congress from all different states, the
national standard is usually a race to the bottom,” said Rep. Maxine Waters,
D-Calif.

Waters made the remarks during a Feb. 14 hearing
of the House Subcommittee on Financial Institutions and Consumer Credit,
which highlighted divisions over how to tighten data security.

Meanwhile, some credit bureaus have offered online tools
that let consumers control access to their credit reports, helping block fraud.

Options offered by
credit bureaus to 'lock' your credit report

Equifax released a free mobile and desktop app in
January that lets you lock and unlock your Equifax credit file electronically,
in less than one minute. The Lock
& Alert service follows the company’s pledge to give individuals
control over their credit file for free, permanently. However, you have to
agree to terms and conditions that allow the company to store your information
and share it in limited circumstances. The company had previously offered one
year of free access to its existing TrustedID credit control tool. People who
signed up for TrustedID after the breach should switch to the free-for-life
Lock & Alert.

TransUnion’s free TrueIdentity service also lets you
lock and unlock your credit report. However, sign-up includes a class-action
waiver that blocks your right to take the company to court – a red flag to
consumer rights experts. Sign-up also means you will receive offers from
TransUnion and partners, the terms
agreement states. The TrueIdentity page has several links to fee-based extras
including credit monitoring. TransUnion has not issued a pledge that the
service will always be free.

Experian, the third major credit bureau, has not
announced plans for a free credit lock. Its existing CreditLock service is
available as part of a service called
IdentityWorks for $9.99 a month.

Some services provided by credit bureaus offer free locking
and unlocking of credit reports – similar to state-mandated credit
freezes, which typically cost about $10 per credit bureau.

However, locks
provided by credit bureaus fall short of the no-strings-attached control that
consumer advocates call for. “Folks need to make sure that what they’re saying
is free is really free,” said Ira Rheingold, executive director of the National
Association of Consumer Advocates.

"Folks need to make sure that what they're saying is free is really free."

The debate over
national standards for data security laws

Business groups call
for a flexible national standard, tailored to different industries, to replace
an array of breach notification rules under state laws. Opponents don’t want to
toss out existing consumer protection at the state level.

“Federal standards should be a baseline standard ... which
allows states to regulate upward and respond to privacy threats as they
emerge,” said Marc Rotenberg, president of the Electronic Privacy Information
Center at the subcommittee hearing.

“No solution we devise can be perfect – nothing will solve [data breaches] altogether,” said Paul Rosenzweig, senior fellow at the market-oriented
R Street Institute and a law lecturer at Georgetown University.

The penetration of Equifax systems occurred from May through
July in 2017, the company announced
in September, exposing driver’s license numbers, birth dates and addresses
in addition to Social Security numbers, and in some cases other identifiers.

The hack puts people at risk of having their accounts
hijacked or their identity stolen by fraudsters using their identifying details
– although the stolen data has not turned up on hacker websites yet.

Velasquez, formerly a fraud investigator in the San Diego
District Attorney’s office, launched an online petition for free credit freezes
after the breach. The drive delivered 150,000 signatures to the CEOs of the big
three credit bureaus – none of whom responded, she said.

She said that an official credit freeze is more secure than
company-provided services such as Lock & Alert, which permits credit
reports to be viewed by prospective employers and by companies offering pre-approved
insurance.

However, Equifax’s lock does shut out applications for new loans,
credit cards and bank accounts, a powerful tool for fighting fraud.

“Both the lock and the freeze stop opening of a new line of
credit,” Velasquez said.

Equifax’s price to
pay for data breach still pending, too

Meanwhile, like new security measures, penalties for the credit bureau’s security
lapse are still in the works:

Equifax initially faced more than 240 class-action
lawsuits in the U.S. and Canada as a result of the breach, according to its financial
disclosure statement at the U.S. Securities and Exchange Commission. Claims
for damages are coming from investors and financial institutions as well as from
consumers whose data was stolen. The lawsuits are being combined into one
multi-district lawsuit in federal court.

Investigations are underway by the U.S. Federal
Trade Commission – which enforces data security standards at credit bureaus
under the Gramm-Leach-Bliley
Act – the Consumer Financial Protection Bureau, the SEC, state bank
regulators and 50 state attorneys general, among other U.S. and international
authorities.

The SEC and the Justice Department are
investigating stock sales by three company executives that occurred before the
breach was made public. A panel of Equifax independent board members cleared
the three of wrongdoing, saying they learned about the possible breach in
August, after they had sold their shares. However, Equifax said it has received
subpoenas concerning the stock sales from the SEC and the U.S. Attorney’s
Office in Atlanta. The company’s shares lost one-third of their value in the
days after the breach was announced.

"When settlements get reached, or the case goes to trial, a lot of people will be looking closely to see that it is something that really does punish [Equifax] and provides real remedies to consumers."

What’s next for
class-action suits against Equifax

The consumer lawsuits against Equifax are being combined
into a “multi-district litigation” case in U.S. District Court in Atlanta,
where Equifax is headquartered.

The case, under Judge Thomas W. Thrash Jr., will eventually generate
letters notifying breach victims of their membership in the class, legal
experts said.

The letters let consumers opt out of the case if they have an
individual claim that would likely be larger than what’s available to them
through the class action.

“When settlements get reached, or the case goes to trial, a
lot of people will be looking closely to see that it is something that really
does punish them,” Rheingold said, “and provides real remedies to consumers.”

Bills in Congress on data security, consumer protection

Numerous identity data security bills are pending in the 115th Congress. None has passed the committee-level review necessary to go to a vote
of the full House or Senate.

We encourage an active and insightful conversation among our users. Please help us keep our community civil and respectful. For your safety, do not disclose confidential or personal information such as bank account numbers or social security numbers. Anything you post may be disclosed, published, transmitted or reused.

If you are commenting using a Facebook account, your profile information may be displayed with your comment depending on your privacy settings. By leaving the 'Post to Facebook' box selected, your comment will be published to your Facebook profile in addition to the space below.

The editorial content on CreditCards.com is not sponsored by any bank or credit card issuer. The journalists in the editorial department are separate from the company's business operations. The comments posted below are not provided, reviewed or approved by any company mentioned in our editorial content. Additionally, any companies mentioned in the content do not assume responsibility to ensure that all posts and/or questions are answered.

Contact

Related Sites

ADVERTISER DISCLOSURE
CreditCards.com is an independent, advertising-supported comparison service. The offers that appear on this site
are from companies from which CreditCards.com receives compensation. This compensation may impact how and where
products appear on this site, including, for example, the order in which they appear within listing categories.
Other factors, such as our proprietary website's rules and the likelihood of applicants' credit approval also
impact how and where products appear on the site. CreditCards.com does not include the entire universe of available
financial or credit offers.

CARDMATCH™ is a free, secure service that will not affect your credit score. Simply provide your basic information, and view offers that match your credit profile within seconds.

Advertiser Disclosure

CreditCards.com is an independent, advertising-supported comparison service. The offers that appear on this site are from companies from which CreditCards.com receives compensation. This compensation may impact how and where products appear on this site, including, for example, the order in which they may appear within listing categories. Other factors, such as our own proprietary website rules and the likelihood of applicants' credit approval also impact how and where products appear on this site. CreditCards.com does not include the entire universe of available financial or credit offers.